Change write permissions to files and folders to the beast

One of the basic security measures in a server, and of course in WordPress, is to properly set the permissions of files and folders . The standard installation of WordPress normally assigns the appropriate permissions to files and folders, but sometimes we find surprises.

Either by manual modifications that we do not remember, or by uncontrolled access, or due to modifications made by plugins and scripts , sometimes not all WordPress files and folders have the appropriate permissions to guarantee both usability and security at the same time.

Fortunately there are WordPress constants that we can add to our file configuration ( wp-config.php ) for change all permissions to files and folders of the installation all at once

You just have to include the following code in your file of configuration of WordPress and save the changes to do magic:

In the previous code we changed the permissions to which they must have by default but if you are special with topics of security or whatever you want just put the permissions you want to apply to your liking .

Now be warned, because this is a pretty radical modification l, and maybe some plugins or even functionalities of the active theme do not work well or stop working at all once the changes are made, because sometimes they require that some folders or files have special permissions, so be careful before making mass changes like the one that allows you this code.

After updating I can not post, just send to review • WordPress Help

A few days ago a good friend was found that, after updating WordPress, had lost permissions on his administrator account . I could not create users and some other things, but above all I could not even publish anything on your site, the only button available was to send it to review .

Investigating a bit I found some possible solutions to this embarrassing problem:

In any of these steps you should be able to republish and access the rest of the settings on your website, but go on to the next one and so on.

Check if you can automatically update WordPress 3.7 • WordPress Help

One of the novelties of WordPress 3.7 actually the fundamental one, is the ability to update itself automatically in the background, without our intervention, but it does not work in all installations.

Whether you want update as if you have already updated but WordPress does not update automatically, there are several reasons why this may happen and your WordPress does not update automatically on your own.

Either due to problems with permissions, absence of OpenSSL support or use version control, there are around 20% of WordPress installations that will not update automatically, but WordPress does not tell you the reason, simply informs you that it will not be updated on your own.

If you want to know the reasons it's simple, you just have to install a fresh plugin, Background update tester go through the plugin page, which you'll find in " Desktop -> Update T ester "and see why your WordPress does not update automatically

Danger of data loss due to WordPress error

 lost company data

Imagine the following situation …

Every month you publish the financial or marketing results of your company , and for that you launch an entry in the corporate blog in which shows the PDF with all the company data of the period in question.

Well, a curious or malicious visitor could get ahead and have that data before you want to expose them .

How ?, because in reality is simple, and because of a WordPress error in the management of attachments

Let me explain …

When you create a new entry, as long as you do not publish you can leave it in draft, pending review or scheduled, and any administrator or editor preview it previously by Temporary URL or even the permanently, not so any visitor or user without the appropriate permissions, who will get an error even if he knows the URL .

Let's say, for example, that someone is closely monitoring your publications, because even if he knew the IDs of your last entry and I did random tests, when typing something how https://ayudawp.com/?p=73876&preview=true I would not have enough permissions to see anything.

But the same thing does not happen with means that you have uploaded to WordPress, whether or not they are attached to an entry as their URLs are always accessible .

In this way, if you always raise, say, the financial results with a similar file name structure, the type informe_finanzas_2013-08.pdf would have relatively little trouble finding it and visualizing it if you uploaded it before publishing it something otherwise quite usual, even if it's only hours.

 loss company information

You just need to guess the full URL of the file upload, which if you follow it usually will not cost you guess, of the type http://tuweb.es/wp-content/ uploads / 2008/08 / informe_finanzas_2013-08.pdf

This, in sensitive market situations, can be a serious problem facing your investors or competitors. Are you going to get it?

But is even more serious, because in fact it is even easier to guess the URL of an attachment because you would not even need to know the folder where it is hosted, not even the name of file, but you only need " guess " the attachment ID and that's just trial and error.

For example, the following file is not associated with any entry, that is, is not published, but nevertheless, and unlike the entries, if you can see it even if you do not have user permissions : https://ayudawp.com/?attachment_id=70246 .

I think you should understand that if is a security flaw in the way that WordPress manages the privacy of attachments do you see it?

I hope soon the way URLs of attachments are managed in WordPress because this is a f allo fool that, in what situations can be a security hole that causes data loss, in some cases important . The solution could happen because only the attachments were accessible when they are associated with an already published entry, not before, for example.

Solutions?
 secure data

Well there are some. For example, you could manually upload the sensitive information to a different folder than the usual WordPress and then add a rule to the file .htaccess so that no unregistered user can see the files uploaded there, but it's something radical

In case this helps you, this would be an example of .htaccess standard with the lines in question (5, 6 and 7) protecting the folder " private ", located within your folder " uploads ", so that only registered users can see the files:

But I already tell you that is a something beast and impractical .

A less radical and controlled way of offering certain attachments in a more rational way would be to use a plugin that manages file downloads, how WP download manager WP filebase or Easy digital downloads .

In this way sensitive information will only be offered by downloads managed with the plugin as well as this type of plugins usually offer options so that certain files can only be downloaded with a password or only by registered users, which offers you more possibilities.

But wow, they are temporary solutions to an existing problem. If you know of any other solution, tell us, okay?

NOTICE : this publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

Loading …

That may also help you:

Allow collaborators to upload images

 geek fellow

The profiles and capabilities of WordPress are predefined to a standard configuration that does not always fit your needs, that is why in practically any multiuser WordPress we will be tempted to install a plugin to customize these settings.

But it is not always necessary.

One of the most common situations is to give more permissions to the profile of " Contributor "which, by default, can create entries and send them for review, but can not upload images.

This, which assumes a high level of security, can be a real nuisance for the editor , that has not only to approve the publication but to illustrate the same with images since the collaborator does not have permission to do it.

Do not believe, it makes sense, because it is not only a security control p to avoid uploading compromised files, but in an editorial environment it is important to control that the images used in publications are adequate (for the power of attraction) and, more importantly, that they have the permissions Relevant author to avoid denunciations.

Now, since it is something that can be controlled a posteriori by the editor, in many environments it will make all the sense to allow collaborators to upload images .

 fellow "width =" 540 "height =" 376 "class =" aligncenter size-full wp-image-70812 "srcset =" https://ayudawp.com/wp-content/uploads/2013/07/becario. jpg 540w, https://ayudawp.com/wp-content/uploads/2013/07/becario-500x348.jpg 500w "sizes =" (max-width: 540px) 100vw, 540px "/> </p>
<p> If you want, you can install one of the multiple plugins that allow you to customize, or even create, profiles and capabilities, how <em> Members </em> or <em> Role Scoper </em>but if it's too much, and you just want to add this functionality, <strong> you can add it to your <a href= utilities plugin simply by adding this code:

G Save the changes and the next time a contributor accesses the WordPress ticket editor and will have the image loader enabled .

NOTICE : This publication is two or more years ago. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

Loading …

That may also help you:

Permalinks by default without user intervention

 broken wordpress permalinks

If you make installations for others you sure know that you should not give administrator privileges to anyone , because then they break things. You can be for or against doing it but it is reality.

And there are changes of settings that nothing happens if they do, but others can destroy all the work done, or positioning as for example, change permanent links, permalinks .

But you did not know that permanent links can be established by default ?, it can be, and it is also SUPER SINGLE . You just have to decide if you will force them from a function plugin or from the file functions.php of the theme, because to get it you have to add this code in one of them:

You save the changes and that's it, if your permission .htaccess has write permissions will be active permalinks whenever the subject is active with the file functions.php or the plugin that contains this function.

You can, of course, change the structure to which you decide, how alone /% postname% / ol to which you decide from the available ones in the structure of links of WordPress .

If your option is the last one already you know that you can avoid that they touch the plugins also configuring the permissions of the user or that update them or to deactivate and break everything, and if you choose the subject you can also disable modifying the subject or that change the subject or a combination of both tricks.

You can use this function to avoid unwanted modifications of permalinks after installing WordPress, or even to force permalinks by default as soon as you create new installations avoiding repetitive tasks, you decide.

Nice trick of be-studios

NOTICE : this publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say that we have not warned you.

Loading …

That may also help you:

What permissions to put files and folders in WordPress

 chmod "width =" 409 "height =" 400 "srcset =" https://ayudawp.com/wp-content/uploads/ 2012/09 / chmod.png 409w, https://ayudawp.com/wp-content/uploads/2012/09/chmod-60x60.png 60w "sizes =" (max-width: 409px) 100vw, 409px "/> 

<p class= From the strips of Bit and Byte .

. The more popular WordPress is made and the more high traffic and influence sites use it, the more it becomes target of hackers and other riff-raff .

That is why you have to have some clear issues and ensure WordPress as best as possible.

One of the most important elements when it comes to securing any website is ] permissions (UNIX) of files and folders and the base rule in WordPress would be the following:

  • 644 for files
  • 755 for folders

You'll see that in most of the occasions it is not you need to change these permissions because either your hosting server or the same WordPress already loads them correctly, but it's not always like that.

So it's good to check your installation's permissions and follow the basic rule that I have written before. If after changing the permissions some plugin or issue gives you problems you can change the permissions to the specific folder or file required, but always being aware that you are leaving a possible security hole .

Examples of You can have special permissions with the folders " cache ", where the themes store the thumbnails and some temporary files plugins, which many times – or almost always – have to have permissions 666 or 777 (total ) or some plugins that have a configuration file that also requires special permissions.

In these cases, measures the decision well, because sometimes it is better to change to a plugin that offers the same without that " peculiarity " to leave a possible gap for hacker input.

If you want to review the file permissions some options are these:

  • File manager ivos of your accommodation, where you can browse folders and there is always a link or button to change folder permissions
  • FTP client as Filezilla or Transmit, in which by right clicking on any file or folder you can change the permissions or access the information window of the above and change them.
  • FTP plugin for WordPress, a "pluginized" version of FTP client like – for example – Filepress where you will also find this possibility.

Actually changing permissions of files and folders is simpler than it seems, and the security of your WordPress deserves the small effort, do not you think? .

Also, it does not hurt to never help you one ] WordPress security suite .

NOTICE : This publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

Loading …

That may also help you:

Disable users without deleting them • WordPress Help

I do not know about you but it happens to me a lot. Whenever I have the WordPress user registry active, let's not say if I allow them to act as collaborators with publication possibilities, there are mansalva records of readers who, later, decide not to participate. And this in the best case.

Because then there are the spammers who register there where they see an ' wp-login.php ' active, to try to strain

And it is especially with these that, although you can erase them, it is better to deactivate them instead of eliminating them altogether. And this is because if you delete it, but if you deactivate it, it keeps your site active for spam, even if you cancel all the permissions, so you do not receive new registration attempts.

This is true in any WordPress with the registry open , and let's not say in WordPress multisite, especially if you have the possibility to create new blogs / sites.

Another situation is when your WordPress site is a community, like a BuddyPress or a Multisite, in those occasions it is especially useful a system of deactivation, temporary or not, of users, in the style of moderation in forums.

Well, there are several simple ways to keep these (or others) users "alive" but inactive …

The first one would be manual action already available in WordPress by default, to download the profile to the Subscriber level, with which they can only read. This, if you combine it with a restriction plugin to access parts of the desktop is practical and effective enough most of the time.

Another option which you may not know, is to use the plugin User Control . What this code does is add a new "capacity" to the user roles through which, and no matter what profile they have, you can deactivate them. The only profile it does not act on is that of Administrator.

Once a user has been deactivated their account is still active but, when they try to access your site, they are shown a message that their user has been deactivated very similar to the typical "baneo" in the forums, and a way to "put hot packs" to users entangled.

The last one, a bit more more sophisticated goes through the plugin Members which you already know. With this plugin you can customize roles and capabilities of users on your site, and even create new profiles.

Here the option would be to create a new profile, which we will call "Bozo" (is a username used in the culture " forera "which indicates that it is an annoying user, and is also used in bbPress), for example. We do not assign to this profile any capacity, not even the basic "Read", which is the only one that has the default Subscriber profile.

Then we only have to assign this profile to the users that we want to deactivate. From there, when they try to access WordPress they will receive a nice error message.

I personally "put" more the "Members method" but it must be recognized that with "User control" it seems less radical, and maybe it enfaden less deactivated users.

Of course, if you can think of a better way to tell it in the comments, there is sure to be and I do not know, and we would all like to learn more.

NOTICE : this publication It's two or more years ago. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

Loading …

That may also help you:

Avoid changing the subject

As a continuation of what we were talking about yesterday, where we explained how to avoid the deactivation of plugins today we are going to see a great trick with which prevent someone from changing the subject in WordPress .

The most common situation, again, is a website that you have set up for a client and this, with more permissions than you should, can not think of anything else that installs a theme and change the subject " to see how the web is like this ". The result you already know, that the normal thing is that it makes a disaster and then does not succeed with activating the previous one or that, when activated, something stops working.

Ea, well, let's heal in health and, if it's your case , let your client install plugins and those things but do not change the subject you have been working hard for one with more colors than your daughter said it is cooler because it looks like Tuenti.

Just add this code to file functions.php of your wonderful subject, you keep the changes and you already have it. The only thing you have to adapt of the code is the user ID that you have access to, that is, your administrator user ID, which if it is not "1" you have to change it for your ID.

Again, if you prefer to use plugins, you can use the capabilities restriction functionality of the Members plugin .

] The code is a adaptation of the wpmu day trick

NOTICE : this publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

Loading …

That may also help you: